Every website visit starts with a DNS lookup. Escudo checks that lookup against 18 threat intelligence feeds and blocks dangerous domains before they load. No software to install on any device.
Change your DNS. Protection starts immediately. Every device on your network is covered.
Point your router to Escudo's DNS servers. Two IP addresses, under 2 minutes. Every device on your network now routes DNS through Escudo.
When any device tries to visit a website, Escudo checks the domain against 1.5 million+ known threats. Malware, phishing, fake banks, ad trackers — all checked in under 5ms.
Legitimate sites resolve normally. Dangerous domains get blocked with a warning page. Your dashboard shows what was blocked and why.
The difference is one extra check — and it happens in under 5 milliseconds.
For security teams, developers, and anyone who wants to understand the technology.
Protective DNS is a security layer that inspects DNS queries before resolving them. Instead of blindly translating domain names to IP addresses, PDNS checks each query against threat intelligence feeds and blocks known-malicious domains at the network level.
The concept was pioneered by the UK government's National Cyber Security Centre (NCSC) for government agencies, and has since been adopted by the US NSA/CISA, the EU's DNS4EU initiative, and Australia's ASD. Escudo brings the same approach to homes, businesses, and ISPs.
Because it operates at the DNS layer, PDNS protects every device on a network — phones, laptops, IoT devices, smart TVs — without installing software on any of them.
Domain Generation Algorithms (DGAs) are used by malware to create thousands of random-looking domain names that serve as rendezvous points with command-and-control servers. Examples: xjk3m9p2.xyz, a8f2kd9s.net.
Escudo uses entropy analysis and n-gram frequency models to detect DGA domains in real time. Legitimate domains have predictable character patterns (dictionary words, brand names). DGA domains have measurably higher randomness. Our models achieve 97%+ detection accuracy with under 0.01% false positive rate.
When a DGA domain is detected, the query is blocked and the event is logged with cryptographic evidence for forensic analysis.
Escudo aggregates 18 threat intelligence feeds, updated every 5 minutes. These include:
Public feeds: URLhaus (abuse.ch), PhishTank, CERT.br threat indicators, Spamhaus DBL, Malware Bazaar, OpenPhish, and the SANS Internet Storm Center.
Escudo proprietary: Banking typosquat detection, fraud domains, newly registered domain analysis (NRD), DGA entropy detection, and DNS tunneling pattern matching.
The combined blocklist contains 1.5 million+ domains. Each entry includes metadata: source feed, first-seen timestamp, threat category, and confidence score. All entries are hashed with SHA256 for evidence integrity.
Every blocked query generates a cryptographic evidence record containing: the queried domain, timestamp (UTC), source IP (hashed for privacy), threat category, matched feed, confidence score, and a SHA256 hash of the complete record.
Daily, all records are combined into a merkle tree and the root hash is published. This means any individual record can be verified against the daily root — proving it was not tampered with after the fact.
This evidence chain satisfies LGPD Article 46 security requirements and is accepted by Brazilian courts as digital evidence under Marco Civil da Internet. Businesses can export compliance reports in PDF and JSON formats.
Traditional parental controls require an app on every device — and children can uninstall them. Escudo works at the DNS level, which means the controls are enforced by the network itself, not by software on the device.
When a child's device tries to visit a blocked category (adult content, gambling, social media), the DNS query is intercepted and blocked before the connection is established. The child sees a block page — they cannot bypass it without changing the router DNS settings.
You can set schedules from the dashboard: block TikTok during homework hours (18:00-20:00), allow YouTube on weekends only, block gaming sites after 22:00. All controlled from one place, applied to every device automatically.
Change your DNS to Escudo. Every device on your network is protected immediately. Free for families.